Ned Batchelder on Nostr: A long expert piece by npub1pfe56…9e2dm about why you shouldn't sign git commits ...

A long expert piece by npub1pfe56vzppw077dd04ycr8mx72dqdk0m95ccdfu2j9ak3n7m89nrsf9e2dm (npub1pfe…e2dm) about why you shouldn't sign git commits (tl;dr: there's no public web of trust so we don't know what it means; meaningless badges distract from true security; extra complexity; compromised keys could leave permanent lies): https://blog.glyph.im/2024/01/unsigned-commits.html#fnref:2:unsigned-commits-2024-1

https://cloudisland.nz/@ehashman/111814514609384307 rebuts that git commits are really easy to spoof so signing proves it was you.

What to do?